The biggest data breaches of 2020

In this day and age, data breaches seem to be everywhere.

And yet, despite all the risks, we still live in a world of unprotected devices, default credentials, and lax cybersecurity measures.

It’s no wonder that more than 1,000 data breaches plagued 2019. And 2020 is no better, with hackers hard at work.

Millions of accounts have already been compromised.

Let’s take a look at some of 2020’s biggest data breaches so far.

The SolarWinds hack

In 2020, American government bodies suffered one of the most significant cyberattacks ever.

The SolarWinds attack, which had gone undetected for months, was first publicly reported on December 13, 2020.

Initially, it looked like the attack only affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA).

However, as days went by, more departments and private organizations started reporting breaches.

Russian hackers seem to have exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware. But SolarWinds’s Orion software was one of the main entry points for the attack.

This is an essential piece of information because many authorities and industry giants use software from SolarWinds, despite their lackluster security history.

Through SolarWinds’ hacked program, the attackers managed to install the Supernova and CosmicGale malware and infiltrate at least 18,000 government and private networks.

The hack had a significant impact on both the government and the private sector, including:

• • • Department of Agriculture
    • Department of Commerce
    • Department of Defense
    • Department of Energy
    • Department of Health and Human Services
    • National Institutes of Health
    • Department of Homeland Security
    • Department of Justice
    • Department of Labor
    • Department of State
    • Department of the Treasury
    • Belkin
    • Cisco Systems
    • Cox Communications
    • Equifax
    • FireEye
    • Malwarebytes
    • Mimecast
    • Nvidia
    • SolarWinds
    • VMware

The attack prompted a debate on whether the hack should be treated as cyber espionage or as a cyberattack constituting an act of war.

The reasons behind the attack are still unknown.

The Twitter Hack

One of the most brazen data breaches of the year came to be known as the Twitter Hack.

Perpetrators targeted 130 verified accounts belonging to top politicians and celebrities, like Barack Obama, Elon Musk, Joseph R. Biden Jr., Bill Gates, and companies like Apple and Uber. They manage to change the password of 45 of these accounts.

Hackers entered Twitter’s internal systems by posing as company IT officials making a support call. One of the perpetrators, a 17-year-old, pretended to offer help with the company’s VPN issues. And since Twitter has had problems with this, the interaction looked the part.

This way, one employee account was compromised and paved the way for accessing Twitter celebrity handles.

What’s more, hackers also got access to information from a department responsible for responding to sensitive global legal requests and developing and enforcing policies to prohibit abusive online behavior.

Hackers then posted fake tweets from these accounts, all focusing on BitCoin. Even though they were a scam, the tweets got a push from some of the United States’ most prominent political and entertainment handles.

The tweets were up for around 4 hours. During this time, the Bitcoin wallet they promoted received over $100,000 from more than 300 transactions.

Twitter stepped in to regain control and delete the posts, but some accounts continued posting similar messages.

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear-phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

The Twitter team in an update on their blog

The hackers also managed to compromise personal information, by downloading account information through Twitter’s “Your Twitter Data” tool. The tool provides a summary of a Twitter account’s details and activity.

This information includes:

• • • user’s profile information
    • Tweets
    • DMs
    • media files
    • a list of the account’s followers
    • a list of accounts the user follows
    • demographic information
    • information about ads the user has seen or engaged with on Twitter.

While the scam may have been relatively small in terms of financial impact, security experts were concerned about its implications.

At the time of the attack, Twitter had no chief information security officer (CISO). They haven’t had one since December 2019.

The ability to take over social media through social engineering involving employees of these companies poses a significant threat, particularly in the lead-up to the 2020 United States presidential election. They were also worried about a potential international incident.

Many have called for additional cybersecurity regulation of major tech platforms. While social media websites are traditionally overlook compared to financial sites, cybersecurity weaknesses at a large social media company can have widespread consequences.

Some security experts claimed it was problematic that social media companies have no dedicated regulator. They have to adhere to the same security standards applicable to public companies, despite handling a considerably larger amount of user personal data.

The Marriott data breach

On March 31, 2020, the hotel chain Marriott disclosed a security breach that impacted more than 5.2 million guests who’ve used their company’s loyalty application.

Hackers got the login credentials of two Marriott employee accounts. Then, they siphoned data from Marriott’s loyalty scheme for about a month, until the company discovered the breach.

The hackers got access to personal information like:

• • • names
    • birthdates
    • telephone numbers
    • travel information
    • and any other loyalty program information.

Marriott said there is no reason to believe that payment information was leaked.

The company claims hackers might have obtained credentials of their employees either by credential stuffing or phishing.

Marriott notified impacted guests and launched a dedicated website with more resources for them. The company is also providing a personal information monitoring service to those affected.

This marks Marriott’s second data breach in recent years, following a breach in 2018 when up to 500 million guests had their data stolen.

Clearview AI

Clearview AI is a facial recognition company using vast databases of images scraped off platforms like Facebook, Twitter, YouTube, Venmo, and LinkedIn. They were the victim of a data breach after a hacker gained access to the company’s entire client list.

The company was already in hot water over its face recognition tech, and this data breach was another blow.

Mind you, most of Clearview AI’s clients are US law enforcement agencies and other corporate entities. Police departments use Clearview AI’s scraped images to match photographs of suspects.

Several high-profile tech companies like Google, Facebook, YouTube, and Twitter had previously issued cease and desist letters to Clearview AI. They’ve claimed that scraping pictures off their sites is illegal or violates their terms of service.

According to the report, the data breach included:

• • • the names of Clearview AI’s clients
    • the number of user accounts
    • the number of searches they had conducted

However, Clearview AI said that it had quickly taken care of the vulnerability that was exploited in the breach, and the hacker didn’t get any search histories.

As you can imagine, they didn’t talk about the extent of the data breach or its broader implications.

This led to speculations that it was a hacktivism incident where hackers took action against the company for ethical reasons.

The triple strike: YouTube, Instagram, and TikTok

In a database breach, over 235 million Instagram, TikTok, and YouTube users had their profile data scrapped.

Web scraping is the automated technique used to gather data from Social Data, an analytics website that sells influencers’ info to marketers.

Although the practice is legal, it is strictly prohibited by social media companies as it puts the privacy of their users and their data at risk.

Of the nearly 235m social media profiles in the database, 191m records were scraped from Instagram, 42m were scraped from TikTok, and almost 4m were scraped from YouTube.

Every record included at least some of the following information:

• • • Profile name
    • Full real name
    • Profile photo
    • Account description

The scrapped data also included statistics about follower engagement, like:

• • • Number of followers
    • Engagement rate
    • Follower growth rate
    • Audience gender
    • Audience age
    • Audience location
    • Likes
    • Last post timestamp
    • Age
    • Gender

This data breach left leaves many users vulnerable to spam and phishing campaigns. Scammers could now use their data for fake profiles, or their images might end in facial recognition databases.

The Nintendo data breach and leak

In March 2020, Nintendo users began complaining their accounts were charged for digital items they didn’t buy.

Then, in April, the gaming company announced that around 160,000 Nintendo accounts had been compromised.

The data breach exposed personal information like the account owner’s:

• • • Name
    • Email address
    • Date of birth
    • Country of residence

After further investigation, Nintendo released an updated statement, adding another 140,000 compromised accounts to the tally. Because of its magnitude, this is referred to online as the Gigaleak.

Nintendo claims that hackers got a hold of the accounts after they obtained passwords outside of their services, but they still haven’t disclosed how the accounts were accessed.

We sincerely apologize to our customers and related parties for any inconvenience and concern. In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur.

A fragment from the Nintendo official statement

But just a few months later, in July, the source code for several of Nintendo’s video game consoles was leaked on 4chan.

The list of suspects includes companies contracted by Nintendo and people who’ve previously hacked Nintendo.

Virgin Media

In March 2020, Virgin Media, the telco company, confirmed that a database with the personal details of 900,000 people was left unsecured online. It was accessible for 10 months.

This breach isn’t the result of a hack or a criminal attack. It’s a consequence of a staff member not following internal procedures.

The database contained information meant for marketing purposes, like phone numbers, home, and email addresses. According to the company, not passwords or payment info were in there.

We recently became aware that one of our marketing databases was incorrectly configured, which allowed unauthorized access. We immediately solved the issue by shutting down access.

Lutz Schüler, Chief Executive of Virgin Media

But the database had been accessed at least once by an unauthorized party.

Virgin Media published a page on their website with more details and further advice for those affected.

EasyJet

EasyJet is the UK’s largest airline. So, it came as a bit of a surprise in May 2020, when we learned that hackers had accessed the travel details of 9 million EasyJet customers.

Around 2,200 customers also had their credit card details accessed in the data breach. But the company insisted that no passport records were accessed.

EasyJet also did not specify when the security incident happened or how the hackers got inside its systems.

A statement from the easyJet Board. For more information please visit https://t.co/0uD2cWPIJK pic.twitter.com/b0glUXs8mY

— easyJet (@easyJet) May 19, 2020

The incident was referred to the Information Commissioner’s Office, UK’s data protection agency.

Cybersecurity researchers have speculated that Chinese hackers might have been behind the hack, but easyJet hasn’t commented on these allegations so far.

Foxconn’s ransomware attack

The electronics giant, Foxconn, suffered a DoppelPaymer ransomware attack around the end of November 2020. The attackers targeted a facility in Ciudad Juárez, Mexico.

As part of the attack, the threat actors claimed to have encrypted about 1,200 servers, stole 100 GB of unencrypted files, and deleted 20-30 TB of backups. After the attack, the facility’s website went down.

The attackers demanded a 1804.0955 bitcoin ransom. At the time, that was around about $34,686,000.

As Foxconn refused to pay the ransom, the attackers made the data public.

The leak included generic business documents and reports but no financial information or any employee’s details.

Stay ahead of data breaches

Data breachers are always scary. Having your data out there and no control over the way companies secure your details is no fun.

The responsibility to protect your data is yours.

Current and former employees are responsible for 56% of cybercrime committed against companies.

Data theft poses risks not only to your personal info but to your financial security as well.

According to reports, Gmail accounts command about $156, as a compromised email account can provide access to various other services.

You can’t know which company can be targeted at what time. And constantly searching the news for data breaches isn’t much of a solution.

So, it’s essential to have a trusted ally to monitor for your credentials. And we have it right here, our Identity Guard!

It’s a convenient way that automatically checks your data is always safe. To access it, get a CyberGhost VPN subscription.

The CyberGhost Identity Guard

Here at CyberGhost, ever since our very beginning, we’ve put out tools to protect your digital privacy and anonymity.

And while VPNs are a great way of keeping your data away from Internet Service Providers, governments, and advertisers, most online services need personal details to work. Think online banking or virtual clinics that are so popular nowadays.

But in this case, you rely on companies to properly secure your data, which doesn’t always happen.

We think you should have more autonomy and be able to know if your data is ever compromised. That’s why we’ve launched the CyberGhost Privacy Guard.

Your email is the keeper of a lot of your private data, so cybercriminals routinely break into company databases and profit from leaking your credentials.

But our Leak Monitor feature lets you add your email addresses and actively monitor for them in data breaches, past and future.

We keep your email addresses under constant supervision. You get reports every two weeks, keeping you up to date with everything related to the security of your email address. And we notify you immediately if your email gets ends up online in a data breach trove.

But it’s still important to:

• • • Create complex and strong passwords
    • Never leave your device unattended in public spaces
    • Take your router security seriously
    • Avoid open public Wi-Fis
    • Increase your IoT security
    • Keep an eye out for phishing scams
    • Use two-factor authentication (2FA)

Practice good cyber hygiene and err on the side of caution using a data breach notification service, like CyberGhost Identity Guard, to reduce the impact of a data breach.

Until next time, stay safe and secure!